Hi Zeev!
On Mon, 27 Aug 2001, Zeev Suraski wrote:
> At 13:40 27-08-01, Thies C. Arntzen wrote:
> >On 27 Aug 2001 01:33:46 +0300, Zeev Suraski wrote:
> > > The other issue is a suggestion I want to pitch - right now, if sessions
> > > are started after the headers are already sent, we'll get a nice
> > > headers-already-sent error. If we have trans_sid enabled (which we will
> > > most probably, from now on) - we can check whether the headers are already
> > > sent, and if they are, move to use trans_sid instead. Any comments?
> > >
> >i tend not to do that. trans-sid is a very different thing from cookies
> >(session id's are populated to foreign-sites via HTTP_REFERRER). i don't
> >think
> >we should default to it. developers should decide themself if they want
> >trans-sid
> >or not.
>
> You lost your caps too? :)
>
> I'm not sure what you meant in the HTTP_REFERRER issue - can you explain
I guess if I am in a page generated by
http://www.example.com/foo/bar.php?SID=<32x[0-f]>
and in this page, there is a link to www.foo.com/malicious.php
malicious.php will see in HTTP_REFERER what is your SID.
-- teodor
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
